Multi-record, custom field Splunk alert examples

SAVE AS PDF

Multi-record, custom field Splunk alert examples

When you are creating multiple record Splunk alerts with custom fields, you need to
define search criteria for generating alert data. Examples of search criteria for security
incidents and security events are shown.

Security incident search

For a security incident, this criteria builds a search to fill in columns in the security
incident table.

Security event search

For a security event, this is the same search, but it populates Event fields instead. If
this event is turned into a security incident, and any fields that do not exist in the event
are populated, they are transferred to the security incident. Otherwise, they remain in the
additional information field of the event and alert.

Note: The search criteria you use will add as many records as are found in the search. It may
add 5 or 10,000,000,000 records. So this is NOT a recommended method for the bulk tranfer of
data. The intent of this method is to add one record per REST call into the ServiceNow
instance.